From: "Filip Sneppe (Cronos)" <filip.sneppe@cronos.be>
To: Carlos Fernandez Sanz <cfs-netfilter@nisupu.com>
Cc: netfilter-devel@lists.netfilter.org,
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: MSN helper module
Date: 17 Dec 2002 22:52:12 +0100 [thread overview]
Message-ID: <1040161933.615.71.camel@exile> (raw)
In-Reply-To: <002801c2a5fb$1eb92660$152ea8c0@maincomp>
On Tue, 2002-12-17 at 19:35, Carlos Fernandez Sanz wrote:
> Yes, it needs some support for file tranmission, voice, etc. The protocol
> works a lot like FTP when using PORT (active) connections. The initiator
> client sends its IP address and a port number for the other end to connect
> to. For basic messaging it doesn't need any special NAT support, though -
> the reason being that all connections are outgoing and there are no related
> children connections.
>
> So it is not a lot of work but it needs to be done. I haven't found anything
> about it so I'm assuming no one has started any work, so I'll do it myself.
> Anyway it's pretty much a one man job.
>
Hi Carlos,
If you're thinking about this, these links will be of great help:
http://www.hypothetic.org/docs/msn/index.php
http://www.hypothetic.org/docs/msn/ietf_draft.php
http://www.venkydude.com/articles/msn.htm
I started working on a connection tracking module for this, but
really didn't go any further than adding the basic conntrack/nat
helper framework.
If you're really serious about this, I can send you a diff of
the basic conntrack/nat module to get you started. Just let me
know.
One thing to watch out for when writing a conntracker for
this, is that the MSN packet that should add an expectation for
a file transfer should contain data that like this:
...
Invitation-Command: ACCEPT
Invitation-Cookie: 33267
IP-Address: 10.44.102.65
Port: 6891
AuthCookie: 93301
...
Now the problem is that MSN also allows some chat-like protocol
over the same port.
If you're writing a conntracker, you must make sure that you
are not parsing the "Messaging" packets as file transfer
requests. Otherwise the code has a security vulnerability
where a specially crafted "Messaging" packet can add a firewall
connection expectation. When I realized my module was going to
have to detect this, I realized this wasn't going to be a
"weekend project" kind of thing and sort of gave up on it
for now. It would be great if you picked up the slack !
Regards,
Filip
next prev parent reply other threads:[~2002-12-17 21:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-16 23:57 MSN helper module Carlos Fernandez Sanz
2002-12-17 7:54 ` Patrick Schaaf
2002-12-17 9:51 ` Carlos Fernandez Sanz
2002-12-17 16:46 ` Michael Richardson
2002-12-17 18:35 ` Carlos Fernandez Sanz
2002-12-17 21:52 ` Filip Sneppe (Cronos) [this message]
2002-12-17 21:46 ` Carlos Fernandez Sanz
2002-12-17 22:38 ` Filip Sneppe (Cronos)
2002-12-18 0:56 ` Carlos Fernandez Sanz
2002-12-18 3:46 ` Octavio / Super
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1040161933.615.71.camel@exile \
--to=filip.sneppe@cronos.be \
--cc=cfs-netfilter@nisupu.com \
--cc=mcr@sandelman.ottawa.on.ca \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.